From e63175ecf66f682721f2ba0337f65330aa798744 Mon Sep 17 00:00:00 2001 From: Matias Karhumaa Date: Tue, 16 Oct 2018 23:23:47 +0300 Subject: [PATCH] btmon: fix segfault caused by buffer over-read Fix segfault caused by buffer over-read in btmon. Fix is to check in packet_monitor() that index is not bigger than MAX_INDEX before accessing index_list. Crash was found by fuzzing btmon with AFL. --- monitor/packet.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/monitor/packet.c b/monitor/packet.c index bb2f5a8b7..cf4a64362 100644 --- a/monitor/packet.c +++ b/monitor/packet.c @@ -3861,6 +3861,11 @@ void packet_monitor(struct timeval *tv, struct ucred *cred, index_current = index; } + if (index != HCI_DEV_NONE && index > MAX_INDEX) { + print_field("Invalid index (%d)", index); + return; + } + if (tv && time_offset == ((time_t) -1)) time_offset = tv->tv_sec; -- 2.47.3